HMAC Generator
Compute Hash-based Message Authentication Codes — HMAC-SHA256, HMAC-SHA512, and HMAC-MD5 — locally in your browser.
What is HMAC?
HMAC (Hash-based Message Authentication Code) is a construction defined in RFC 2104 that combines a cryptographic hash function with a secret key to produce a tag that proves both the integrity and authenticity of a message. Anyone with the shared secret can recompute the HMAC and verify that the message was not tampered with and came from someone who knows the key.
HMAC vs a plain hash
A plain hash like SHA-256 only proves integrity to someone who already has the original message — an attacker who can change the message can simply recompute the hash. HMAC mixes a secret key into the hashing process, so without the key an attacker cannot produce a valid tag for a forged message.
Common uses
HMAC powers webhook signatures (Stripe, GitHub, Slack), AWS Signature V4 request signing, JWT HS256/HS512 tokens, session cookie integrity, and TOTP/HOTP one-time codes. Use HMAC-SHA256 for almost everything new; HMAC-SHA512 for longer tags; and HMAC-MD5 only when an old protocol or library requires it.